By James D. Naber
Traditionally, the role and responsibilities of the audit committee have always been critical to a community bank’s integrity, transparency and internal control environment. In addition to ensuring the quality and integrity of the bank’s audit and related accounting practices, the audit committee provides board oversight to ensure legal and regulatory compliance.
Greatly influenced by the glare of the Sarbanes-Oxley spotlight, the role of audit committee members continues to evolve to include broader oversight in matters of financial responsibility and risk management, including potential implications for the bank’s financial condition. No longer are community bank boards comprised primarily of members who are key customers of the bank or community business leaders.
In an environment that continues to include an unfavorable yield curve, rising costs and signs of credit quality and asset erosion, committee members are being asked to assume advisory roles that require significant banking and financial experience.
Successfully managing these new responsibilities requires a commitment to identifying members with the requisite skills, the setting of priorities, identification of issues and timely remediation of high risk issues.
The list of critical issues facing today’s audit committees is extensive and audit committees need to answer these important questions:
Is there an appropriate “tone at the top” regarding the importance of a strong internal control environment?
Are you satisfied that there is an effective risk management program in place that will withstand regulatory scrutiny in a declining economic environment?
How is the internal audit plan developed and is it truly risk-based?
Do you understand the testing strategies?
How are internal and external audit exceptions reported to the board?
When audit exceptions and issues are reported to the audit committee, is enough detail provided to allow members to truly understand the significance and risk to the institution?
Is there a board level tracking report that incorporates all internal, external and regulatory exam findings?
Is management required to respond in a timely manner to internal and external audit findings?
Is there effective follow up?
Has management established an effective fraud prevention program?
Has the board adopted a whistle-blower policy and process?
Does internal audit have the appropriate support from the audit committee and CEO?
Is the audit plan sufficient to cover compliance matters?
Is the audit committee up-to-date with regulatory developments?
Are you satisfied that there are appropriate internal controls over major risks?
Are you satisfied with the experience level of members of the audit committee relative to their understanding of financial reporting and internal controls?
Have audit committee members received adequate training?
By organizing these issues into five logical categories, the audit committee creates valuable resources capable of handling the heavy lifting, thereby allowing the committee to focus on its oversight role in establishing priorities. These five categories are discussed further:
Assessment of control environment;
External auditor oversight;
Effective use of internal auditing; and
Financial accuracy addresses completeness of financial disclosures, significant business and accounting policy changes, correct and truthful reporting, and interim reviews of financial statements. The bank’s chief financial officer and staff do the detail work, but the committee members should understand thresholds of materiality and key estimates versus historical data, the areas most susceptible to fraud and external auditors’ opinions.
The committee should own the relationship with the CPA firm acting as external auditor. Ownership requires direct reporting, ongoing communication, frequent meetings and robust discussions about audit scope and results. Oversight also includes fees, scope, selection criteria, independence, rotation and performance monitoring.
Effective use of the internal audit function requires that both auditors and committee members have an in-depth understanding of the business culture, systems and processes as they develop the audit plan. The plan must be based upon a risk-based assessment of the operations including technology, financial and regulatory compliance. Audit committees and senior management need to avoid taking a checklist approach to internal audit and manage an audit plan that focuses on the significant risks to the institution.
To provide appropriate oversight, the committee needs to understand management’s process for assessing risks facing the organization. With upfront involvement, the audit committee can ensure there is an effective assessment of the control environment – for example, that the Enterprise Risk Management (ERM) program is based upon an assessment of risk; and that the fraud prevention and detection program is integrated into the process.
Nothing is more important to an institution’s success – or to its very survival – than its ability to manage risk, because every risk borne by the organization impacts its financial outcomes. ERM provides organizations with a competitive edge by identifying key risks – strategic, operational, reporting, compliance, technology – and assessing those risks for likelihood of occurrence and impact on the organization. ERM provides four avenues for managing risk: senior management and board oversight; effective policies and procedures; internal controls; and risk monitoring. Audit committee members and senior management should not confuse a risk assessment as a substitute for a comprehensive ERM program.
The role of the audit committee continues to expand in importance and complexity. Committee members can effectively fulfill their duties by:
Understanding their responsibilities;
Setting and keeping their priorities in order;
Using the available resources; and
Playing their part in sustaining a robust ERM program.
James Naber is managing director of Accume Partners’ (www.accumepartners.com) New England Banking Practice. He can be reached at email@example.com.